Extended key preparing apparatus, extended key preparing method, recording medium and computer program

Shimoyama, Takeshi ;   et al.

Patent Application Summary

U.S. patent application number 09/811551 was filed with the patent office on 2002-01-17 for extended key preparing apparatus, extended key preparing method, recording medium and computer program. Invention is credited to Ito, Koichi, Shimoyama, Takeshi, Takenaka, Masahiko, Torii, Naoya, Yajima, Jun, Yanami, Hitoshi, Yokoyama, Kazuhiro.

Application Number20020006196 09/811551
Document ID /
Family ID18708401
Filed Date2002-01-17
United States Patent Application 20020006196
Kind Code A1
Shimoyama, Takeshi ;   et al. January 17, 2002
Extended key preparing apparatus, extended key preparing method, recording medium and computer program

Abstract

Intermediate data a.sub.i, b.sub.i, c.sub.i, and d.sub.i are prepared by an intermediate data preparing equipment 4 from a cryptographic key through a nonlinear type function operation and the like, an extended key preparing equipment 5 selects a [X.sub.r], b [Y.sub.r], c [Z.sub.r], and d [W.sub.r] corresponding to the number of stages r from the intermediate data, and rearranges the data as well as conducts that of bit operation to prepare extended keys, whereby an extended key preparing apparatus by which an extended key required in the case where common key cryptosystem is applied can be safely prepared at a high speed, a process for preparing such an extended key, and a recording medium used therefor are provided.

Inventors: Shimoyama, Takeshi; (Kawasaki, JP) ; Ito, Koichi; (Kawasaki, JP) ; Takenaka, Masahiko; (Kawasaki, JP) ; Torii, Naoya; (Kawasaki, JP) ; Yajima, Jun; (Kawasaki, JP) ; Yanami, Hitoshi; (Kawasaki, JP) ; Yokoyama, Kazuhiro; (Kawasaki, JP)
Correspondence Address: 
    STAAS & HALSEY LLP
    700 11TH STREET, NW
    SUITE 500
    WASHINGTON
    DC
    20001
    US
Family ID: 18708401
Appl. No.: 09/811551
Filed: March 20, 2001
Current U.S. Class: 380/44 ; 380/277
Current CPC Class: H04L 2209/12 20130101; H04L 9/0625 20130101
Class at Publication: 380/44 ; 380/277
International Class: H04L 009/00
Foreign Application Data
Date Code Application Number
Jul 13, 2000 JP 2000-212482
Claims


What is claimed is:

1. An extended key preparing apparatus wherein extended keys are prepared in common key cryptosystem from a cryptographic key input, comprising: a dividing unit which divides binary digit string of said cryptographic key into a plurality of elements each composed of a predetermined bit length; an intermediate data preparing unit which prepares a plurality of intermediate data by applying a plurality of times an operation wherein a predetermined constant is used to the respective elements divided by said dividing unit; a selecting unit which selects a plurality of intermediate data corresponding to the number of stages of extended keys from the plurality of the intermediate data prepared by said intermediate data preparing unit; and an extended key preparing unit which prepares the extended keys corresponding to said number of stages by converting irreversibly the plurality of the intermediate data selected by said selecting unit.

2. An extended key preparing apparatus according to claim 1 wherein said intermediate data preparing unit is provided with a nonlinear type operating unit for effecting nonlinear type operation with respect to the respective elements divided by said dividing unit.

3. An extended key preparing apparatus according to claim 2 wherein said nonlinear type operating unit performs nonlinear type operation in such a manner that when said cryptographic key is divided into eight elements of 32 bits by said dividing unit, said nonlinear type operating unit separates said elements into 6, 5, 5, 5, 5, and 6 bits to transpose the same into other data, respectively, and the data after transposition are subjected to nonlinear type operation by the use of a determinant.

4. An extended key preparing apparatus according to claim 2 wherein said intermediate data preparing unit is provided with: an addition unit which adds a constant to an odd number-th element that has been subjected to nonlinear type operation; a multiplication unit which multiplies an even number-th element which has been subjected to nonlinear type operation by said constant; and an exclusive OR operating unit which effects exclusive OR operation of said odd number-th element to which has been added the constant and said even number-th element which is succeeding to said odd number-th and to which has been multiplied by said constant.

5. An extended key preparing apparatus according to claim 4, comprising further a unit for preparing intermediate data by subjecting nonlinear type operation to the result of said exclusive OR operation of said odd number-th element and said even number-th element which is succeeding to said odd number-th.

6. An extended key preparing apparatus according to claim 5 wherein said addition unit and said multiplication unit repeat the plurality of times additions and multiplications by the use of the number i of different constants, respectively, to prepare the number i of data in every elements; said exclusive OR operating unit repeat i times operations for acquiring exclusive OR of the odd number-th element and the even number-th element which have been operated by the use of the same constants; and said preparing unit prepare the number i of intermediate data in every elements.

7. An extended key preparing apparatus according to claim 6 wherein said selecting unit selects one intermediate data corresponding to said number of stages of an extended key among the number i of intermediate data contained in the respective elements which have been prepared by said intermediate data preparing unit.

8. An extended key preparing apparatus according to claim 1 wherein said extended key preparing unit is provided with: a rearrangement unit which rearranges a plurality of intermediate data selected by said selecting unit; and an irreversible conversion unit which converts irreversibly the plurality of intermediate data that have been rearranged by said rearrangement unit.

9. An extended key preparing apparatus according to claim 8 wherein when intermediate data are rearranged in an order of elements X, Y, Z, and W by said rearrangement unit, said irreversible converting unit prepares a first data by adding the element Y to a data obtained by shifting cyclically the element X leftwards by 1 bit; prepares a second data determined by sifting cyclically the data leftwards by further 1 bit, which data has been obtained by subtracting the element W from a data obtained by shifting cyclically said element Z leftwards by 1 bit; and operates exclusive OR of said first data and said second data.

10. An extended key preparing apparatus according to claim 1 wherein said dividing unit divides a cryptographic key of 128 bits, 192 bits, or 256 bits into eight elements of 32 bits.

11. An extended key preparing method wherein extended keys are prepared in common key cryptosystem from a cryptographic key input, comprising the steps of, dividing binary digit string of said cryptographic key into a plurality of elements each composed of a predetermined bit length; preparing a plurality of intermediate data by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements divided by said dividing step; selecting a plurality of intermediate data corresponding to the number of stages of extended keys from the plurality of the intermediate data prepared by said intermediate data preparing step; and preparing the extended keys corresponding to said number of stages by converting irreversibly the plurality of the intermediate data selected by said selecting step.

12. An extended key preparing method according to claim 11 wherein said intermediate data preparing step involves a nonlinear type operating step for effecting nonlinear type operation with respect to the respective elements divided by said dividing step.

13. An extended key preparing method according to claim 12 wherein said nonlinear type operating step performs nonlinear type operation in such a manner that when said cryptographic key is divided into eight elements of 32 bits by said dividing step, said nonlinear type operating step separates said elements into 6, 5, 5, 5, 5, and 6 bits to transpose the same into other data, respectively, and the data after transposition are subjected to nonlinear type operation by the use of a determinant.

14. An extended key preparing method according to claim 12 wherein said intermediate data preparing step involves: an addition step for adding a constant to an odd number-th element that has been subjected to nonlinear type operation; a multiplication step for multiplying an even number-th element which has been subjected to nonlinear type operation by said constant; and an exclusive OR operating step for effecting exclusive OR operation of said odd number-th element to which has been added the constant and said even number-th element which is succeeding to said odd number-th and to which has been multiplied by said constant.

15. An extended key preparing method according to claim 14, comprising further a step for preparing intermediate data by subjecting nonlinear type operation to the result of said exclusive OR operation of said odd number-th element and said even number-th element which is succeeding to said odd number-th.

16. An extended key preparing method according to claim 15 wherein said addition step and said multiplication step repeat the plurality of times additions and multiplications by the use of the number i of different constants, respectively, to prepare the number i of data in every elements; said exclusive OR operating step repeat i times operations for acquiring exclusive OR of the odd number-th element and the even number-th element which have been operated by the use of the same constants; and said preparing step prepare the number i of intermediate data in every elements.

17. An extended key preparing method according to claim 16 wherein said selecting step selects one intermediate data corresponding to said number of stages of an extended key among the number i of intermediate data contained in the respective elements which have been prepared by said intermediate data preparing step.

18. An extended key preparing method according to claim 11 wherein said extended key preparing step involves: a rearrangement step for rearranging a plurality of intermediate data selected by said selecting step; and an irreversible conversion step for converting irreversibly the plurality of intermediate data that have been rearranged by said rearrangement step.

19. An extended key preparing method according to claim 18 wherein when intermediate data are rearranged in an order of elements X, Y, Z, and W by said rearrangement step, said irreversible converting step prepares a first data by adding the element Y to a data obtained by shifting cyclically the element X leftwards by 1 bit; prepares a second data determined by sifting cyclically the data leftwards by further 1 bit, which data has been obtained by subtracting the element W from a data obtained by shifting cyclically said element Z leftwards by 1 bit; and operates exclusive OR of said first data and said second data.

20. An extended key preparing method according to claim 11 wherein said dividing step divides a cryptographic key of 128 bits, 192 bits, or 256 bits into eight elements of 32 bits.

21. A computer readable recording medium wherein an extended key preparing program in which extended keys are prepared in common key cryptosystem from a cryptographic key input is to be recorded, comprising: recording the program containing a dividing step for dividing binary digit string of said cryptographic key into a plurality of elements each composed of a predetermined bit length; an intermediate data preparing step for preparing a plurality of intermediate data by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements divided by said dividing step; a selecting step for selecting a plurality of intermediate data corresponding to the number of stages of extended keys from the plurality of the intermediate data prepared by said intermediate data preparing step; and an extended key preparing step for preparing the extended keys corresponding to said number of stages by converting irreversibly the plurality of the intermediate data selected by said selecting step.

22. An extended key preparing program in which extended keys are prepared in common key cryptosystem from a cryptographic key input, comprising: recording the program containing a dividing step for dividing binary digit string of said cryptographic key into a plurality of elements each composed of a predetermined bit length; an intermediate data preparing step for preparing a plurality of intermediate data by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements divided by said dividing step; a selecting step for selecting a plurality of intermediate data corresponding to the number of stages of extended keys from the plurality of the intermediate data prepared by said intermediate data preparing step; and an extended key preparing step for preparing the extended keys corresponding to said number of stages by converting irreversibly the plurality of the intermediate data selected by said selecting step.
Description


FIELD OF THE INVENTION

[0001] The present invention relates to an extended key preparing apparatus and method as well as to a recording medium and computer program, and particularly to an extended key preparing apparatus by which an extended key required in the case where common key cryptosystem is applied can be safely prepared at a high speed, a process for preparing such an extended key, and a recording medium and computer program used therefor.

BACKGROUND OF THE INVENTION

[0002] Common key cryptosystem wherein a cryptographic key being commonly used in both transmission and reception sides has been heretofore known. FIG. 8 is an explanatory view for explaining cryptographic processing in accordance with usual common key cryptograph. As shown in FIG. 8, the cryptographic equipment is composed of an extended key preparing means for preparing an extended key for cryptographic key, and a cryptographic processing means for encrypting a plaintext by the use of such extended key.

[0003] More specifically, since n-stages of cryptographic processing, i.e., cryptographic processing 1 to cryptographic processing n are implemented in the cryptographic processing equipment, extended key 1 to extended key n necessary for the n-stages of cryptographic processing are successively prepared in the extended key preparing means.

[0004] Accordingly, it is a very important problem in that a safe extended key is how rapidly prepared by the extended key preparing means in case of adopting common key cryptosystem.

[0005] In this connection, according to DES (Data Encryption Standard) cryptograph, extended keys 1 to n are prepared from a cryptographic key by means of only cyclical shifting and bit transposition, whereby a preparation of extended keys is realized at a high speed as shown in FIG. 9.

[0006] Furthermore, a process for preparing extended keys by means of MARS has been known as a process for preparing safer extended keys (a candidate cipher for AES, The First AES Conference, 1998, pages 1-9).

[0007] According to the above described DES cryptograph, however, an extended key is prepared by only cyclical shifting and bit transposition as shown by a mark in FIG. 9, so that there are problems in view of safety. More specifically, even if information has been leaked as to one key among the number n of extended keys prepared by extended key preparing equipment, a cryptographic key itself to be input to extended key preparing equipment becomes clear in this DES cryptosystem, whereby problems of safety arise.

[0008] On the other hand, according to the above described MARS extended key preparing apparatus, information of a cryptographic key cannot be easily acquired from information of an extended key, so that there is no problem as to safety like in DES cryptosystem. However, another problem in such that many calculations must be repeated in the process, whereby the operations require much time arises.

[0009] From the matters described above, it has been a very important problem that a safe extended key required in case of applying common key cryptosystem is how rapidly prepared.

SUMMARY OF THE INVENTION

[0010] It is an object of the present invention to provide an extended key preparing apparatus by which an extended key required in the case where common key cryptosystem is applied can be safely prepared at a high speed, a process for preparing such an extended key, and a recording medium used therefor.

[0011] An extended key preparing apparatus of a first aspect wherein extended keys are prepared in common key cryptosystem from a cryptographic key input, comprises a dividing means for dividing binary digit string of the cryptographic key into a plurality of elements each composed of a predetermined bit length (corresponding to the intermediate data preparing means 4 of FIG. 1); an intermediate data preparing means for preparing a plurality of intermediate data by applying a plurality of times an operation wherein a predetermined constant is used to the respective elements divided by the dividing means (corresponding to the intermediate data preparing means 4 of FIG. 1); a selecting means for selecting a plurality of intermediate data corresponding to the number of stages of extended keys from the plurality of the intermediate data prepared by the intermediate data preparing means (corresponding to the extended key preparing means 5 of FIG. 1); and an extended key preparing means for preparing the extended keys corresponding to the number of stages by converting irreversibly the plurality of the intermediate data selected by the selecting means (corresponding to the extended key preparing means 5 of FIG. 1).

[0012] According to the invention of the first aspect, binary digit string of the cryptographic key is divided into a plurality of elements each composed of a predetermined bit length; a plurality of intermediate data are prepared by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements; a plurality of intermediate data corresponding to the number of stages of extended keys are selected from the plurality of the intermediate data prepared; and the extended keys corresponding to the number of stages are prepared by converting irreversibly the plurality of the intermediate data selected, whereby such extended keys required in the case where common key cryptosystem is applied can be safely prepared at a high speed.

[0013] Furthermore, an extended key preparing method of a eleventh aspect wherein extended keys are prepared in common key cryptosystem from a cryptographic key input, comprises a dividing step for dividing binary digit string of the cryptographic key into a plurality of elements each composed of a predetermined bit length; an intermediate data preparing step for preparing a plurality of intermediate data by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements divided by the dividing step; a selecting step for selecting a plurality of intermediate data corresponding to the number of stages of extended keys from the plurality of the intermediate data prepared by the intermediate data preparing step; and an extended key preparing step for preparing the extended keys corresponding to the number of stages by converting irreversibly the plurality of the intermediate data selected by the selecting step.

[0014] According to the invention of the eleventh aspect, binary digit string of the cryptographic key is divided into a plurality of elements each composed of a predetermined bit length; a plurality of intermediate data are prepared by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements; a plurality of intermediate data corresponding to the number of stages of extended keys are selected from the plurality of the intermediate data prepared; and the extended keys corresponding to the number of stages are prepared by converting irreversibly the plurality of the intermediate data selected, whereby such extended keys required in the case where common key cryptosystem is applied can be safely prepared at a high speed.

[0015] Furthermore, a computer readable recording medium and computer program of a twenty-first aspect wherein an extended key preparing program in which extended keys are prepared in common key cryptosystem from a cryptographic key input is to be recorded, comprises recording the program containing a dividing step for dividing binary digit string of the cryptographic key into a plurality of elements each composed of a predetermined bit length; an intermediate data preparing step for preparing a plurality of intermediate data by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements divided by the dividing step; a selecting step for selecting a plurality of intermediate data corresponding to the number of stages of extended keys from the plurality of the intermediate data prepared by the intermediate data preparing step; and an extended key preparing step for preparing the extended keys corresponding to the number of stages by converting irreversibly the plurality of the intermediate data selected by the selecting step.

[0016] According to the invention of the twenty-first aspect, binary digit string of the cryptographic key is divided into a plurality of elements each composed of a predetermined bit length; a plurality of intermediate data are prepared by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements; a plurality of intermediate data corresponding to the number of stages of extended keys are selected from the plurality of the intermediate data prepared; and the extended keys corresponding to the number of stages are prepared by converting irreversibly the plurality of the intermediate data selected, whereby such extended keys required in the case where common key cryptosystem is applied can be safely prepared at a high speed.

[0017] Other objects and features of this invention will become apparent from the following description with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] FIG. 1 is a block diagram showing the whole construction of cryptographic equipment used in the present embodiment;

[0019] FIG. 2 is a flowchart illustrating processing steps for preparing an extended key from a cryptographic key by means of the extended key processing equipment shown in FIG. 1;

[0020] FIG. 3 is an explanatory diagram for explaining a concept for preparing intermediate data by means of the intermediate data preparing equipment shown in FIG. 1;

[0021] FIGS. 4(a) and 4(b) are explanatory diagrams each for explaining a concept for preparing an extended key from the intermediate data by means of the extended key preparing apparatus shown in FIG. 1;

[0022] FIGS. 5(a), 5(b), and 5(c) are explanatory diagrams each for explaining selection of data by means of the selected value deciding equipment as well as rearrangement of data by means of the data rearrangement processing equipment shown in FIGS. 4(a) and 4(b);

[0023] FIGS. 6(a), 6(b), and 6(c) are explanatory diagrams (No. 1) each for explaining an example of operations for a nonlinear type function conducted by the intermediate data preparing equipment shown in FIG. 1;

[0024] FIGS. 7(d) and 7(e) are explanatory diagrams (No. 2) each for explaining another example of operations for the nonlinear type function conducted by the intermediate data preparing equipment shown in FIG. 1;

[0025] FIG. 8 is an explanatory diagram for explaining cryptographic processing by means of a usual common key cryptography; and

[0026] FIG. 9 is a block diagram illustrating a conventional algorithm based on DES cryptography.

DESCRIPTION OF THE PREFERRED EMBODIMENT

[0027] A preferred embodiment applied suitably for an extended key preparing apparatus, an extended key preparing method, and a recording medium according to the present invention will be described in detail hereinafter by referring to the accompanying drawings.

[0028] First, the whole construction of cryptographic equipment used in the present embodiment will be described. FIG. 1 is a block diagram illustrating the whole construction of the cryptographic equipment 1 used in the present embodiment. As shown in FIG. 1 the cryptographic equipment 1 is the one which prepares an extended key 1 to an extended key n from a cryptographic key in the case when a plaintext or the cryptographic key is input, and encrypts the plaintext by the use of the extended keys 1 to n prepared.

[0029] The cryptographic equipment 1 involves cryptographic processing equipment 2 for effecting cryptographic processing of a plaintext, and an extended key processing equipment 3 for preparing extended keys 1 to n required for encryption in the cryptographic processing equipment 2.

[0030] The cryptographic processing equipment 2 performs cryptographic processing (1) to (n) of n-stages by the use of the extended keys 1 to n to prepare a ciphertext corresponding to the plaintext, and the resulting ciphertext is output. In the cryptographic processing of n-stages (1) to (n), each cryptographic processing is carried out after receiving the extended keys 1 to n prepared in the extended key processing equipment 3, and the ciphertext is output from the final stage wherein the cryptographic processing (n) is carried out.

[0031] The extended key processing equipment 3 is the one for preparing the extended keys 1 to n, which are to be supplied to the cryptographic processing equipment 2 from a cryptographic key which has been input, and which is provided with intermediate data preparing equipment 4 and an extended key preparing equipment 5. It is to be noted that the present embodiment of the invention is characterized in that an extended key is prepared by such a manner that an intermediate data is once prepared by means of the intermediate data preparing equipment 4, and then the extended key is prepared by the use of the intermediate data thus prepared, unlike a conventional manner wherein an extended key is prepared simply from a cryptographic key.

[0032] The intermediate data preparing equipment 4 is a processing section for preparing intermediate data composed of respective elements of a.sub.i, b.sub.i, c.sub.i, and d.sub.i (i=0, 1, and 2) at the time when a cryptographic key is input. In the present embodiment, an explanation is made on the case where intermediate data a.sub.0 to a.sub.2, b.sub.0 to b.sub.2, C.sub.0 to c.sub.2, and d.sub.0 to d.sub.2 are prepared in case of "i=0, 1, and 2" for the convenience of explanation. While the detailed explanation will be made later, intermediate data are prepared by means of nonlinear type function, exclusive OR, addition, and multiplication in the intermediate data preparing equipment 4.

[0033] The extended key preparing equipment 5 is a processing section for preparing extended keys of the number corresponding to the specified number r of stages from the intermediate data which have been prepared by the intermediate data preparing equipment 4. More specifically, one each of elements (for example, a.sub.1, b.sub.0, c.sub.1, and d.sub.2) is selected from the respective elements a.sub.0 to a.sub.2, b.sub.0 to b.sub.2, c.sub.0 to c.sub.2, and d.sub.0 to d.sub.2, the respective elements thus selected are rearranged, for example, in such that b.sub.0, a.sub.1, d.sub.2, and c.sub.1, and a predetermined calculation is made on the rearranged elements to prepare the extended keys 1 to n.

[0034] Next, processing steps for preparing extended keys from a cryptographic key by means of the extended key processing equipment 3 shown in FIG. 1 will be described hereinafter. In this connection, FIG. 2 is a flowchart showing processing steps for preparing extended keys from a cryptographic key by the use of the extended key processing equipment 3 shown in FIG. 1.

[0035] As shown in FIG. 2, when a plaintext is input together with a cryptographic key (user key) by a user (step S1), the cryptographic key is incorporated into the intermediate preparing equipment 4.

[0036] Thereafter, the intermediate processing equipment 4 divides binary digit strings of the cryptographic key into data k.sub.0 to k.sub.7 of eight groups, and an operation wherein the undermentioned nonlinear type function M is applied is made upon these data k.sub.0 to k.sub.7 to acquire data k.sub.0' to k.sub.7' (step S2).

[0037] Then, a constant is added to each of even number-th data k.sub.0', k.sub.2', k.sub.4', and k.sub.6' (step S3), while odd number-th data k.sub.1', k.sub.3', k.sub.5', and k.sub.7' are multiplied by the constant (step S4), thereafter exclusive OR operation is implemented with respect to the even number-th data to each of which was added the constant as well as to the odd number-th data with each of which is multiplied by the constant (step S5), and then, a nonlinear type function M is applied to the results operated (step S6), whereby intermediate data a.sub.i to d.sub.i are prepared. In this case, however, since the i takes values of 0, 1, and 2, intermediate data a.sub.0 to a.sub.2, b.sub.0 to b.sub.2, c.sub.0 to c.sub.2, and d.sub.0 to d.sub.2, are obtained, in reality.

[0038] Thereafter, when the number r of stages of extended keys is input (step S7), corresponding data are selected from the intermediate data which have been already prepared (step S8), whereby the selected data are transposed in accordance with the number r (step S9). Then, irreversible conversion G is applied to the intermediate data after the transposition (step S10) to output an extended key of the r-th stage (step S11).

[0039] In the case when another extended key is required to be prepared (step S12; YES), it shifts to the above described step S7, and the same processing is repeated, while preparing process of extended key is completed in the case when a preparation of required extended keys was finished (step S12; NO).

[0040] As described above, when the processing in the above steps S1 to S6 is carried out, the intermediate data of a.sub.i to d.sub.i wherein i=0, 1, and 2 can be prepared. Furthermore, when the processing in the steps S7 to S12 is implemented, extended keys to which have been applied irreversible conversion can be prepared at a high speed by the use of the intermediate data prepared in the steps S1 to S6.

[0041] Next, a concept of preparing intermediate data by means of the intermediate data preparing equipment 4 shown in FIG. 1 will be described in more detail. In this connection, FIG. 3 is an explanatory diagram for explaining the concept of preparing intermediate data by means of the intermediate data preparing equipment 4 shown in FIG. 1. In FIG. 3, symbols "k.sub.0 to k.sub.7" designate binary digit strings which are obtained by dividing bit strings of a cryptographic key into eight groups, respectively, "M" is nonlinear type function operation, "+" means addition of a constant, ".times." means multiplication of a constant, and symbols "a.sub.i to d.sub.i" denote intermediate data.

[0042] As shown in FIG. 3, the intermediate data preparing equipment 4 divides binary digit strings of the cryptographic key into data k.sub.0 to k.sub.7 of eight groups. For instance, when the cryptographic key is composed of 128 (32.times.4) bits, the initial 32 bits correspond to k.sub.0, the next 32 bits correspond to k.sub.1, the following 32 bits are identified by k.sub.2, and the further following 32 bits are identified as k.sub.3 wherein there are the following relationships, i.e., k.sub.4=k.sub.0, k.sub.5=k.sub.1, k.sub.6 =k.sub.2, and k.sub.7=k.sub.3, respectively. Thus, 32 bits each of data k.sub.0 to k.sub.7 are obtained.

[0043] Furthermore, when the cryptographic key is composed of 192 (32.times.6) bits, k.sub.0 to k.sub.5 are prepared wherein relationships k.sub.6=k.sub.0, and k.sub.7=k.sub.1 are established. Still further, when the cryptographic key is composed of 256 (32.times.8) bits, the cryptographic key is divided into 32 bits each to obtain 32 bits each of data k.sub.0 to k.sub.7. According to the manner described above, a cryptographic key may be divided into 32 bits each of data k.sub.0 to k.sub.7, even if the cryptographic key has any length of 128 bits, 192 bits or 256 bits.

[0044] Thus, as shown in FIG. 3, a nonlinear type function M is applied to the respective data of k.sub.0 to k.sub.7 to obtain 32 bit data of k.sub.0' to k.sub.7' corresponding respectively to the data k.sub.0 to k.sub.7. Then, a constant is added to even number-th data k.sub.0', k.sub.2', k.sub.4', and k.sub.6', respectively, while odd number-th data k.sub.1', k.sub.3.sup.1', k.sub.5' and k.sub.7' are multiplied by the constant, respectively.

[0045] Thereafter, exclusive OR operation is subjected to a bit string of a even number-th data to which was added a constant (e.g., k.sub.0' +M(4i)) and an odd number-th bit string to which was multiplied by the constant (e.g., k.sub.1' .times.(i+1)), respectively, and further the nonlinear type function M is applied to these operated results to prepare intermediate data a.sub.i to d.sub.i.

[0046] It is to be noted herein that constants used in the above-described steps S4 to S6 are M(4i) and (i+1) as shown in FIG. 3 wherein i takes a value of 0, 1, or 2, whereby intermediate data a.sub.0 to a.sub.2, b.sub.0 to b.sub.2, c.sub.0 to c.sub.2, and d.sub.0 to d.sub.2 are obtained.

[0047] Next, a concept for preparing extended key from intermediate data by means of the extended key preparing equipment 5 shown in FIG. 1 will be described in more detail. In this connection, FIGS. 4(a) and 4(b) are explanatory diagrams each for explaining a concept for preparing extended key from intermediate data by the use of the extended key preparing equipment 5 shown in FIG. 1.

[0048] As shown in FIG. 4(a), the extended key preparing equipment 5 is provided with a selector value deciding device, selectors, a data rearrangement processing device, and a G (X, Y, Z, W) calculating device. The selected value deciding device is a one for deciding xr, yr, zr, and wr indicating respective elements a, b, c, and d to be selected from among the respective intermediate data a.sub.i, b.sub.i, c.sub.i, and d.sub.i (i=0, 1, or 2) based on the number of stages r of an extended key to be prepared.

[0049] A selector selects intermediate data a(X.sub.r) b(y.sub.r) c(Z.sub.r), and d(W.sub.r), respectively, in accordance with the x.sub.r, y.sub.r, Z.sub.r, and w.sub.r decided by the selector value deciding device.

[0050] The data rearrangement processing device rearranges (transposes) the data a(X.sub.r), b(Y.sub.r), c(Z.sub.r), and d(W.sub.r) based on the number of stages r. More specifically, transpositions corresponding to the number of stages r are implemented as shown in FIG. 5(c), which will be described hereinafter.

[0051] The G(X, Y, Z, W, and r) calculating device prepares an extended key E.sub.xKey.sub.r based on the data (X, Y, Z, and W) after the rearrangement. The construction of the G(X, Y, Z, W, and r) calculating device is as shown in FIG. 4(b). In the same figure, a representation "<<<1" means 1 bit leftward cyclical shifting for shifting bit string of data cyclically leftwards by 1 bit, "+" means addition of two data, "-" means for subtracting a certain data from another data, and "{circumflex over (+)}" means exclusive OR.

[0052] In the following, procedure steps for preparing an extended key by means of the extended key preparing equipment 5 will be described. As shown in FIG. 4(a), when the number of stages r is input, the corresponding data are selected from among intermediate data, and the data selected are transposed in accordance with the number r. More specifically, one data is selected in every elements in such a manner that a.sub.1 is selected from among a.sub.0 to a.sub.2, while b.sub.0 is selected from among b.sub.0 to b.sub.2.

[0053] For instance, when "a.sub.1, b.sub.0, c.sub.1, and d.sub.2" are selected, they are transposed into "b.sub.0, a.sub.1, d.sub.2, and c.sub.1" wherein X=b.sub.0, Y=a.sub.1, Z=d.sub.2, and W=c.sub.1, respectively, in the case shown in FIG. 4.

[0054] Then, irreversible conversion is applied the irreversible conversion G to the intermediate data after the transposition thereof to output an extended key in the r-th stage. More specifically, the data X is sifted cyclically leftwards by 1 bit, it is added to the data Y, besides the data Z is shifted cyclically leftwards by 1 bit, and the data W is subtracted there from whereby it is cyclically shifted leftwards by 1 bit. Then, results of the both data were subjected to exclusive OR operation to produce the extended key r in the r-th stage.

[0055] Next, selection of data by means of the selected value deciding equipment as well as rearrangement of data by means of the data rearrangement processing equipment shown in FIG. 4(a) will be described in more detail. In this connection, FIGS. 5(a), 5(b), and 5(c) are explanatory diagrams for each explaining the selection of data by means of the selected value deciding equipment as well as the rearrangement of data by means of the data rearrangement processing equipment shown in FIG. 4(a).

[0056] FIG. 5(a) expresses equations (1), which is applied at the time when intermediate data to be selected is selected by the selected value deciding equipment, and they are as follows:

X.sub.r=Z.sub.r=r mod 3

y.sub.r=w.sub.r=r+[r/3]mod 3

[0057] as expressed in equations (1).

[0058] FIG. 5(b) is a diagram illustrating schematically the equations (1) shown in FIG. 5(a) wherein numerical values corresponding to that, which are to be selected from one of three numbers of 0, 1, and 2 are indicated in the case where the number of stages is r, and a group composed of nine numbers are cycled.

[0059] When a value corresponding to the number of stages r (one of three numbers i=0, 1, and 2) is decided in accordance with FIG. 5(a) or FIG. 5(b), (X.sub.r, Y.sub.r, Z.sub.r, and W.sub.r) corresponding to the number of stages r can be selected from the number i each of intermediate data shown in FIG. 4(a).

[0060] FIG. 5(c) shows an order table that is used in the case where rearrangement is implemented by means of the data rearrangement processing equipment. This order table functions to decide an order in the case where the intermediate data (X.sub.r, Y.sub.r, Z.sub.r, and W.sub.r) of the number of stages r selected in FIG. 5(a) or FIG. 5(b) are rearranged (replaced). More specifically, rearrangement is carried out in accordance with the order table wherein the number of stages r on the left side are allowed to correspond to orders for rearrangement on the right side in the figure.

[0061] For instance, when "a.sub.1, b.sub.0, c.sub.1, and d.sub.2" are selected, it becomes "a.sub.1, b.sub.0, c.sub.1, and d.sub.2" in the case where the number of stages is 0, it comes to be "b.sub.0, a.sub.1, d.sub.2, and c.sub.1" in the case where the number of stages is 1, and further it becomes "d.sub.2, c.sub.1, b.sub.0, and a.sub.1" in the case where the number of stages is 2.

[0062] Next, an example of nonlinear type function operation performed by the intermediate data preparing equipment 4 shown in FIG. 1 will be described. It is to be noted that the present invention is not limited to this nonlinear type operation, but a variety of nonlinear type operations may also be applied. FIGS. 6(a), 6(b), and 6(c) as well as FIGS. 7(d) and 7(e) are explanatory diagrams for each explaining an example of nonlinear type function operation carried out by the intermediate data preparing equipment 4 shown in FIG. 1.

[0063] FIG. 6(a) illustrates an example of the whole construction of operation for the nonlinear type function M wherein a case where the nonlinear type function M is operated by applying a user key (cryptographic key) m of 32 bits to prepare a result w of 32 bits is shown.

[0064] As illustrated, a user key of 32 bits is divided herein into m.sub.0, m.sub.1, m.sub.2, m.sub.3, m.sub.4, and m.sub.5 of 6, 5, 5, 5, 5, and 6 bits, respectively. Then, values x are converted into those of S5 (x) as to m.sub.1, m.sub.2, m.sub.3, and m.sub.4 which are divided into 5 bits, respectively, in accordance with the table of S5 (x) shown in FIG. 6(b).

[0065] Likewise, values of x are converted into values of S6 (x) as to m.sub.0, and m.sub.6 divided in 6 bits, respectively, in accordance with S6 (x) shown in FIG. 6(c), whereby data v shown in FIG. 6(a) is prepared.

[0066] Thereafter, values of MDS (x) shown in FIG. 7(d) are placed at respective positions of a determinant shown in FIG. 7(e), besides data v are also disposed in the determinant concerning the determinant shown in FIG. 7(e), and both the values are subjected to matrix computation to calculate values w. Thus, results (operation results of nonlinear type function M) by means of an XOR calculating device wherein the MDS of FIG. 6(a) is used are obtained.

[0067] Next, processing in the first stage for preparing intermediate data from a cryptographic key which has been already explained as well as processing in the second stage for preparing extended keys of the number of stages r assigned by the intermediate data will be described by the use of mathematical models and signs.

[0068] (1) Processing in the first stage (processing for preparing intermediate data from a cryptographic key):

[0069] (1-1) A cryptographic key of 256 bits is divided into eight data k.sub.0, k.sub.1, . . . , k.sub.7 in every 32 bits (see FIG. 3).

[0070] (1-2) Intermediate data a.sub.i, b.sub.i, c.sub.i, and d.sub.i (i=0, 1, 2) are prepared in accordance with calculations of the following paragraphs (1-3) to (1-6) by utilizing nonlinear type function M to which is input data of 32 bits that was divided in the paragraph (1-1), while which outputs the data of 32 bit (see FIG. 3). Furthermore, process steps (3-1) to (3-6) are executed with respect to the nonlinear type function M.

[0071] (1-3) a.sub.i=M (Ta (k.sub.0, i) XOR Ua (k.sub.1, i) wherein Ta (k.sub.0, i)=M (k.sub.0)+M (4i), Ua (k.sub.1, i)=M (k.sub.1).times.(i+1) is calculated. XOR represents an exclusive OR operation.

[0072] (1-4) b.sub.i=M (Tb (k.sub.2, i) XOR Ub (k.sub.3, i) wherein Tb (k.sub.3, i)=M (k.sub.2)+M (4i+1), Ub (k.sub.3, i)=M (k.sub.3).times.(i+1) is calculated.

[0073] (1-5) c.sub.i=M (Tc (k.sub.4, i) XOR Uc (k.sub.5, i) wherein Tc (k.sub.4, i)=M (k.sub.4)+M (4i+2), Uc (k.sub.5, i)=M (k.sub.5).times.(i+1) is calculated.

[0074] (1-6) d.sub.i=(Td (k.sub.6, i) XOR Ud (k.sub.7, 1) ) wherein Td (k.sub.6, i)=M (k.sub.6)+M (4i+3), Ud (k.sub.7, i)=M (k.sub.7).times.(i+1) is calculated.

[0075] (2) Processing in the second stage (processing for preparing extended keys of the number of stages r from intermediate data):

[0076] (2-1) Calculation is made with respect to extended keys E.sub.xKey.sub.r of the number of stages r (r=0, 1, and 2) in accordance with the following paragraphs (2-2) to (2-4) (see FIG. 4(a)).

[0077] (2-2) A progression X, Y, Z, W represented by Xr=Zr=r mod 3, Yr=Wr=r+[r/3] mod 3 (Equation (1)) is used to obtain (X, Y, Z, W)=(a (Xr), b (Yr), c (Zr), d (Wr))

[0078] (2-3) Data rearrangement represented by (X, Y, Z, W) =ORDER_12 (X, Y, Z, W, r' ) wherein ORDER_12 (X, Y, Z, W, r') is the one shown in FIG. 5(c) is made with respect to r' satisfying r'= (r+[r/36]) mod 12.

[0079] (2-4) Extended keys of the number of stages r are calculated by means of E.sub.xKey.sub.r=G (X, Y, Z, W) wherein G (X, Y, Z, W)=((x<<<1) +Y) XOR (((Z<<<1) -W) <<<1), and <<<1 indicates 1 bit leftward cyclical shifting (see FIG. 4(b)).

[0080] (3) Operation processing of nonlinear type function M:

[0081] (3-1) In accordance with the following paragraphs (3-2) to (3-6), result w of 32 bits is output from input m of 32 bits (see FIG. 6(a)).

[0082] (3-2) The input m is bit-divided to acquire values m.sub.0, . . . , m.sub.5 in the following forms:

[0083] m.sub.0=(the 5th bit from the 0th bit of m)

[0084] m.sub.1=(the 10th bit from the 6th bit of m)

[0085] m.sub.2=(the 15th bit from the 61th bit of m)

[0086] m.sub.3=(the 20th bit from the 16th bit of m)

[0087] m.sub.4=(the 25th bit from the 21st bit of m)

[0088] m.sub.5=(the 31st bit from the 26th bit of m)

[0089] (3-3) A nonlinear type transformation function S.sub.5 which outputs 5 bits in respect of input of 5 bits as well as a nonlinear type conversion function S.sub.6 which outputs 6 bits in respect of input of 6 bits wherein S.sub.5 and S.sub.6 are those shown in FIGS. 6(b) and 6(c), respectively, are used to acquire the following results:

[0090] s.sub.0=S.sub.6 (m.sub.0)

[0091] s.sub.1=S.sub.5 (m.sub.1)

[0092] s.sub.2=S.sub.5 (m.sub.2)

[0093] s.sub.3=S.sub.5 (m.sub.3)

[0094] s.sub.4=S.sub.5 (m.sub.4)

[0095] s.sub.5=S.sub.6 (m.sub.5)

[0096] (3-4) An equation v=s0 .vertline.s1.vertline.s2.vertline.s3.vertlin- e.s4.vertline.s5 wherein ".vertline." represents link of bit values is calculated.

[0097] (3-5) An equation w=(v0.times.MDS (0)) XOR (v1.times.MDS (1)) XOR . . . XOR (v 31.times.MDS (31)) wherein vi.times.MDS (i) is 0 in case of vi=0, while it is MDS (i) in case of vi =1, by means of the conversion table MDS which is output 32 bits from the bit value vi that is the i-th v and the input of 5 bits, and MDS is the one shown in FIG. 7(d) is calculated.

[0098] (3-6) The system outputs w.

[0099] As mentioned above, the present embodiment is constructed in such that intermediate data a.sub.i, b.sub.i, c.sub.i, and d.sub.i are prepared by the intermediate data preparing equipment 4 from a cryptographic key through a nonlinear type function operation and the like, the extended key preparing equipment 5 selects a [Xr], b [Yr], c [Zr], and d [Wr] corresponding to the number of stages r from the intermediate data, and rearranges the data as well as implements that of bit operation to prepare extended keys. As a result, safe extended keys can be prepared from a cryptographic key at a high speed.

[0100] More specifically, the present invention has such a construction in that intermediate data are prepared from a cryptographic key in the first stage, arbitrary data are selected from the intermediate data to effect irreversible conversion in the second stage, whereby extended keys of an arbitrary number of extended keys are prepared. Thus, it becomes possible to prepare the extended keys at a high speed through irreversible conversion, whereby safety in common key system can be elevated.

[0101] As a result, the present invention provides the following advantages.

[0102] (1) For instance, although a significant period of time is required for preparing one intermediate data, the number of intermediate data required can be reduced by the extended key preparing equipment 5, whereby extended keys each having high safety can be prepared at a high speed.

[0103] (2) In the case where only extended keys, which will be required are prepared on the course of processing for encryption or decryption without storing all of extended keys E.sub.xKey.sub.0, E.sub.xKey.sub.1, . . . , E.sub.xKey.sub.n-1 prepared, only the extended keys which correspond to the number of stages r assigned can be prepared at a high speed.

[0104] Further explanation will be made in this respect, in a common key cryptosystem, in general, when extended keys are used in an order of E.sub.xKey.sub.0, E.sub.xKey.sub.1, . . . , E.sub.xKey.sub.n-1 in encryption, the extended keys are employed in the reverse order of that in the encryption in such order of E.sub.xKey.sub.n-1, . . . , E.sub.xKey.sub.1, E.sub.xKey.sub.0 in decryption. In this case, when successive preparation is made in accordance with an extended key preparing apparatus wherein a value of E.sub.xKey.sub.0 is required for preparing E.sub.xKey.sub.1, (see FIG. 9 mentioned already), E.sub.xKey.sub.1, cannot be directly prepared, but E.sub.xKey.sub.0 is previously prepared, and then E.sub.xKey.sub.1, is prepared by the use of the former E.sub.xKey.sub.0. Accordingly, a period of time for preparing an extended key in decryption is longer than that of the encryption by an amount corresponding to the time as explained above.

[0105] On the other hand, since extended keys can be prepared by assigning an arbitrary number of stages r independent from the other extended keys in the present embodiment, the same period of time is required in both of a case where extended keys are prepared in an order of E.sub.xKey.sub.0, E.sub.xKey.sub.1, . . . , E.sub.xKey.sub.n-1 and a case where extended keys are prepared in an order of E.sub.xKey.sub.n-1, . . . , E.sub.xKey.sub.1, E.sub.xKey.sub.0.

[0106] As described above, the present embodiment according to the invention exhibits such a remarkable advantage that even if extended keys are prepared successively, periods of time for processing encryption and decryption can make equal to each other, whereby an appearance of a longer period of time for preparing extended keys in decryption than that of encryption can be avoided.

[0107] While only the case where i=0, 1, and 2 has been described in the present embodiment for the convenience of explanation, the present invention is not limited thereto, but it is also applicable for the case where i is 3 or more. Furthermore, although an example of nonlinear type function operation has been described herein, the invention is not limited thereto, but other one way functions such as so-called hash function and the like are applicable.

[0108] As described above, according to the invention claimed in the first aspect, binary digit string of the cryptographic key is divided into a plurality of elements each composed of a predetermined bit length; a plurality of intermediate data are prepared by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements; a plurality of intermediate data corresponding to the number of stages of extended keys are selected from the plurality of the intermediate data prepared; and the extended keys corresponding to the number of stages are prepared by converting irreversibly the plurality of the intermediate data selected, whereby there is an advantage to provide an extended key preparing apparatus by which such extended keys required in the case where common key cryptosystem is applied can be safely prepared at a high speed.

[0109] According to the invention claimed in the second aspect, nonlinear type operation is effected with respect to the respective elements divided, whereby there is an advantage to provide an extended key preparing apparatus by which bits forming a cryptographic key are diffused, so that safety in cryptograph can be much more increased.

[0110] According to the invention claimed in the third aspect, when the cryptographic key is divided into eight elements of 32 bits, the nonlinear type operating means separates the elements into 6, 5, 5, 5, 5, and 6 bits to transpose the same into other data, respectively, and the data after transposition are subjected to nonlinear type operation by the use of a determinant, whereby there is an advantage to provide an extended key preparing apparatus by which nonlinear type operation can be efficiently carried out at a high speed.

[0111] According to the invention claimed in the fourth aspect, a constant is added to an odd number-th element which has been subjected to nonlinear type operation; besides an even number-th element which has been subjected to nonlinear type operation is multiplied by the constant; and exclusive OR operation of both the odd number-th element and the even number-th element is effected, whereby there is an advantage to provide an extended key preparing apparatus by which intermediate data can be efficiently prepared.

[0112] According to the invention claimed in the fifth aspect, the result of the exclusive OR operation is subjected to nonlinear type operation to prepare intermediate data, whereby there is an advantage to provide an extended key preparing apparatus by which bits forming the result of the exclusive OR operation are further diffused, so that safety in cryptograph can be much more improved.

[0113] According to the invention claimed in the sixth aspect, the plurality of times of additions and multiplications are repeated with the use of the number i of different constants, respectively, to prepare the number i of data in every elements; i times of operations for acquiring exclusive OR of the odd number-th element and the even number-th element which have been operated by the use of the same constants are repeated; and the number i of intermediate data are prepared in every elements, whereby there is an advantage to provide an extended key preparing apparatus by which a plurality of intermediate data can be prepared in every respective elements by a simple procedure.

[0114] According to the invention claimed in the seventh aspect, one intermediate data corresponding to the number of stages of an extended key is selected among the number i of intermediate data contained in the respective elements prepared, whereby there is an advantage to provide an extended key preparing apparatus by which independency of a certain extended key can be maintained with respect to the other keys.

[0115] According to the invention claimed in the eighth aspect, a plurality of intermediate data selected are rearranged; and the plurality of intermediate data which have been rearranged are converted irreversibly, whereby there is an advantage to provide an extended key preparing apparatus by which unidirectional property of a certain cryptographic key towards extended keys can be maintained, so that even if a certain extended key leaks out, the cryptographic key can be held in secret.

[0116] According to the invention claimed in the ninth aspect, when intermediate data are rearranged in an order of elements X, Y, Z, and W by the rearrangement means, a first data is prepared by adding the element Y to a data obtained by shifting cyclically the element X leftwards by 1 bit; a second data is prepared by sifting cyclically the data leftwards by further 1 bit, which data has been obtained by subtracting the element W from a data obtained by shifting cyclically the element Z leftwards by 1 bit; and exclusive OR of the first data and the second data is operated, whereby there is an advantage to provide an extended key preparing apparatus by which irreversible conversion can be efficiently implemented at a high speed.

[0117] According to the invention claimed in the tenth aspect, a cryptographic key of 128 bits, 192 bits, or 256 bits is divided into eight elements of 32 bits, whereby there is an advantage to provide an extended key preparing apparatus by which the extended key can be prepared by using the same logic, even if the number of bits input differs in extended key.

[0118] According to the invention claimed in the eleventh aspect, binary digit string of the cryptographic key is divided into a plurality of elements each composed of a predetermined bit length; a plurality of intermediate data are prepared by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements; a plurality of intermediate data corresponding to the number of stages of extended keys are selected from the plurality of the intermediate data prepared; and the extended keys corresponding to the number of stages are prepared by converting irreversibly the plurality of the intermediate data selected, whereby there is an advantage to provide an extended key preparing method by which such extended keys required in the case where common key cryptosystem is applied can be safely prepared at a high speed.

[0119] According to the invention claimed in the twelfth aspect, nonlinear type operation is effected with respect to the respective elements divided, whereby there is an advantage to provide an extended key preparing method by which bits forming a cryptographic key are diffused, so that safety in cryptograph can be much more increased.

[0120] According to the invention claimed in the thirteenth aspect, when the cryptographic key is divided into eight elements of 32 bits, the nonlinear type operating means separates the elements into 6, 5, 5, 5, 5, and 6 bits to transpose the same into other data, respectively, and the data after transposition are subjected to nonlinear type operation by the use of a determinant, whereby there is an advantage to provide an extended key preparing method by which nonlinear type operation can be efficiently carried out at a high speed.

[0121] According to the invention claimed in the fourteenth aspect, a constant is added to an odd number-th element which has been subjected to nonlinear type operation; besides an even number-th element which has been subjected to nonlinear type operation is multiplied by the constant; and exclusive OR operation of both the odd number-th element and the even number-th element is effected, whereby there is an advantage to provide an extended key preparing method by which intermediate data can be efficiently prepared.

[0122] According to the invention claimed in the fifteenth aspect, the result of the exclusive OR operation is subjected to nonlinear type operation to prepare intermediate data, whereby there is an advantage to provide an extended key preparing method by which bits forming the result of the exclusive OR operation are further diffused, so that safety in cryptograph can be much more improved.

[0123] According to the invention claimed in the sixteenth aspect, the plurality of times of additions and multiplications are repeated with the use of the number i of different constants, respectively, to prepare the number i of data in every elements; i times of operations for acquiring exclusive OR of the odd number-th element and the even number-th element which have been operated by the use of the same constants are repeated; and the number i of intermediate data are prepared in every elements, whereby there is an advantage to provide an extended key preparing method by which a plurality of intermediate data can be prepared in every respective elements by a simple procedure.

[0124] According to the invention claimed in the seventeenth aspect, one intermediate data corresponding to the number of stages of an extended key is selected among the number i of intermediate data contained in the respective elements prepared, whereby there is an advantage to provide an extended key preparing method by which independency of a certain extended key can be maintained with respect to the other keys.

[0125] According to the invention claimed in the eighteenth aspect, a plurality of intermediate data selected are rearranged; and the plurality of intermediate data which have been rearranged are converted irreversibly, whereby there is an advantage to provide an extended key preparing method by which unidirectional property of a certain cryptographic key towards extended keys can be maintained, so that even if a certain extended key leaks out, the cryptographic key can be held in secret.

[0126] According to the invention claimed in the nineteenth aspect, when intermediate data are rearranged in an order of elements X, Y, Z, and W by the rearrangement means, a first data is prepared by adding the element Y to a data obtained by shifting cyclically the element X leftwards by 1 bit; a second data is prepared by sifting cyclically the data leftwards by further 1 bit, which data has been obtained by subtracting the element W from a data obtained by shifting cyclically the element Z leftwards by 1 bit; and exclusive OR of the first data and the second data is operated, whereby there is an advantage to provide an extended key preparing method by which irreversible conversion can be efficiently implemented at a high speed.

[0127] According to the invention claimed in the twentieth aspect, a cryptographic key of 128 bits, 192 bits, or 256 bits is divided into eight elements of 32 bits, whereby there is an advantage to provide an extended key preparing method by which the extended key can be prepared by using the same logic, even if the number of bits input differs in extended key.

[0128] According to the invention claimed the twenty-first aspect, binary digit string of the cryptographic key is divided into a plurality of elements each composed of a predetermined bit length; a plurality of intermediate data are prepared by applying the plurality of times an operation wherein a predetermined constant is used to the respective elements; a plurality of intermediate data corresponding to the number of stages of extended keys are selected from the plurality of the intermediate data prepared; and the extended keys corresponding to the number of stages are prepared by converting irreversibly the plurality of the intermediate data selected, whereby there is an advantage to provide a computer readable recording medium by which such extended keys required in the case where common key cryptosystem is applied can be safely prepared at a high speed.

[0129] Although the invention has been described with respect to a specific embodiment for a complete and clear disclosure, the appended claims are not to be thus limited but are to be construed as embodying all modifications and alternative constructions that may occur to one skilled in the art which fairly fall within the basic teaching herein set forth.

* * * * *

uspto.report is an independent third-party trademark research tool that is not affiliated, endorsed, or sponsored by the United States Patent and Trademark Office (USPTO) or any other governmental organization. The information provided by uspto.report is based on publicly available data at the time of writing and is intended for informational purposes only.

While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, reliability, or suitability of the information displayed on this site. The use of this site is at your own risk. Any reliance you place on such information is therefore strictly at your own risk.

All official trademark data, including owner information, should be verified by visiting the official USPTO website at www.uspto.gov. This site is not intended to replace professional legal advice and should not be used as a substitute for consulting with a legal professional who is knowledgeable about trademark law.

© 2024 USPTO.report | Privacy Policy | Resources | RSS Feed of Trademarks | Trademark Filings Twitter Feed